LIVE exploit → https://home.smava-shared.de (real production)

Origin: . Preconditions for a real hit: the victim is logged into the smava Kundenbereich in this browser. This page never frames the target — it only window.open()s it (X-Frame-Options DENY does not stop popups) and speaks the teal RPC. Responders mount once the Kundenbereich loan-funnel iframe renders, so requests are looped for ~20s.

idle…